Clever Smitfraud….
Sometimes you see a malware implementation that you have to have respect for the cleverness/ingenuity of the design. These pests can be dastardly to get rid of, but essentially this pest was occasionally popping up a “windows integrity scanner” installer. It wasn’t frequent, but it was persistent and the user was afraid that it was the gateway to other bad stuff. (That’s correct…) Anyway on inspecting the msconfig list of programs running at startup I found gsudxz.exe or some such nonsense (psuedo-random string of letters). I opted to reboot into safe mode and run the smitfraud removal tool because this looked like a typical smitfraud infection… turns out it wasn’t though.
The removal tool did it’s job, found the item I had suspected and I rebooted to find it gone. I continued to work on the machine for another 40 minutes or so on another issue and left. I soon had a call that it had returned! So, I revisited and sure enough there was another entry in the startup list…. wdxcijk.exe or something similar… Hmmm… were is the “puppet master” process though? I killed off the process in memory and the startup entry, but knew there must be something “lurking in the shadows” that put it back in place.
So, I ran the Autorun utility from sysinternals…. I haven’t used that utility before believe it or not, but it does an EXCELLENT job of listing every thing that might automatically run or load at startup. It turns out that there are run entries in the registry that are not displayed by msconfig. (Thanks microsoft…) This particular baddie had taken up residence at hklm (hkey local machine) / software / microsoft / windows / current version / policies / explorer / run … an the file it was running was safely tucked away in the c:\documents and settings\all users\application data area….
so this process was responsible for running at startup and making sure that it’s minion was active. If the minion wasn’t active it would create a fresh copy and run it/place it in the regular startup area. Clever…. someone cleaning manually or via utility would quite easily find the and remove and not be certain how it kept sneaking back in.